www/chromium: update to 148.0.7778.96
* 148.0.7778.96
This update includes 127 security fixes. Below, we highlight fixes
that were contributed by external researchers. Please see the Chrome Security Page for more information.
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer,
UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
[$43000][493747582] Critical CVE-2026-7896: Integer overflow in Blink. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-18
[N/A][504069514] Critical CVE-2026-7897: Use after free in Mobile. Reported by Google on 2026-04-18
[N/A][504587882] Critical CVE-2026-7898: Use after free in Chromoting. Reported by Google on 2026-04-20
[$55000][505481948] High CVE-2026-7899: Out of bounds read and write in V8. Reported by Project WhatForLunch (@pjwhatforlunch) on 2026-04-23
[$16000][496503799] High CVE-2026-7900: Heap buffer overflow in ANGLE. Reported by Anonymous on 2026-03-26
[244 lines not shown]
Address problems with MIPS Malta platform code found running under QEMU.
QEMU's "malta" system emulates a MIPS Malta with the Gallileo host bridge
and 32-bit or 64-bit CPUs of either endianness. It is one of the only
working QEMU system-level emulations that could run NetBSD with all
combinations of endianness and address size. After fixes to QEMU over the
past several years, NetBSD has been unable to use the emulated PCI bus in
big-endian and 64-bit configurations.
No actual Malta hardware with any Gallileo-based CPU card could be found
for testing. These changes have been checked against the databook and
some limited checking of the relevant QEMU changes (which seem to have
mostly come from former MIPS employees) was also performed.
Changes:
1. The GT-64120 host bridge _does_ byte-swap access to other PCI targets,
but _does not_ byte-swap access to itself (bus 0, device 0). QEMU
evidently used to get this wrong, but, I confirmed with the databook.
This means we need to manually byte-swap a bunch of access to the
[29 lines not shown]
Fix MKDEBUGKERNEL vs MKDEBUG for kernel debug file sets.
The problem manifests as checkflist failures when building ports that
have extensive ALL_KERNELS but not...building all the kernels; notably
the various "evb" ports with a bazillion kernels for a bazillion SoCs.
The mk.conf(5) man page documents MKDEBUGKERNEL as controlling
whether kernel debug files (netbsd-*.debug) appear in the
distribution sets. However, the prior implementation used MKDEBUG
(the general userland debug flag) instead.
This meant MKDEBUG=yes with MKDEBUGKERNEL=no incorrectly expected
kernel debug files for every kernel config listed in ALL_KERNELS.
When only a subset of kernels is built, checkflist fails with
missing files.
The fix is to make these variables fully conform to the longstanding
documentation. MKDEBUGKERNEL controls whether kernel debug symbols are
built; MKDEBUG controls everything else. If you want something like the
old behavior but minus the bugs, set both.
py-wtforms: update to 3.2.2.
What's Changed
remove slsa provenance by @davidism in #879
fix(validators): Disabled validation with provided formdata by @subnix in #880
Support Python versions from 3.10 to 3.14 by @azmeuk in #883
Update FAQ to reflect 3.10+ support by @kurtmckee in #884
GHA improvements by @azmeuk in #888
A few things done while chasing down mod/ref bugs:
- pmap_remove_mapping() can now take pointer to the vm_page, saving a
lookup and allowing some additional assertions when it's available
(which is "frequently" in this implementation).
- All of the PTE load/store/modify-in-PT helpers now are decorated
with "volatile".
- Don't bother with atomic_load / atomic_store.
- Simplify pmap_testbit() and pmap_changebit().
- Add more PMAP_DEBUG-only mod/ref tests (including a test that validates
MMU beavior that was used to find a Qemu m68k emulator bug).
py-pip: update to 26.1.1.
Bug Fixes
Fix issue where uninstallation left behind empty directories.
Revert the removal of the adjacent __pycache__ directory when
a .py file is removed. (#13973)
py-pdf: update to 6.11.0.
## Version 6.11.0, 2026-05-09
### New Features (ENH)
- Initialise a Font from an embedded font file (#3704)
### Robustness (ROB)
- Allow to fix AES padding length in non-strict mode (#3742)
### Developer Experience (DEV)
- Enable PyPy testing again (#3752)
- Align mypy Makefile target with strict mode (#3690)
